SMART UMA

From IIW

Session: Wed Session 3, Space C

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes

Convener: Maciej Machulak

Notes-taker(s): Eve Maler

Tags for the session - technology discussed/ideas considered:

UMA site: http://kantarainitiative.org/confluence/display/uma/Home SMART project slides: http://kantarainitiative.org/confluence/download/attachments/38371737/SMARTOverview.pdf Screenshots of SMART prototype demo: http://kantarainitiative.org/confluence/display/uma/SMART+project+user+experience UMA CV-sharing scenario: http://kantarainitiative.org/confluence/display/uma/cv_sharing_scenario


Notes:


The SMART project at Newcastle University is for Student-Managed Access to Online Resources. It's based on UMA, and UMA is based on OAuth 2.0, such that an UMA requester has to present an access token to get access to a user's resources at a host. The user's authorization manager decides whether to hand out access tokens based on user policy.

The SMART project objectives are:

  • Define a scenario that focuses on higher ed, and provide a comprehensive requirements analysis
  • Develop an UMA-based solution

Newcastle University has 4500 staff members and 19,000 students. A lot of data (both personal info -- DOB, address, resumes, etc. -- and resources such as documents) is hosted by Newcastle. It needs an efficient, secure, and usable access management system that supports both data owners and data consumers. E.g., you may want to share your research selectively with some collaborators.

The project team integrates researchers, developers, and information systems management personnel.

The UMA "CV-sharing scenario" is the basis for the scenario being worked on in the project. Today, a student has to manually assemble a set of artifacts to provide to prospective employers. If the student is still in classes, some of this data needs to be refreshed (like their marks from classes they've taken).

Question: What about transitivity? If a professor writes a letter of recommendation for a student, and the student wants to include it in a prospective-employer resource bundle for further sharing, does the professor give access to the student in such a way that the student can then transitively grant access to another party without needing to go back to the professor? Yes, through a system of demanding claims.

In some cases, the materials are digitally signed, or may be packaged software.

Some job search websites have you upload a bunch of data, and then prospective employers go to the job search site to see it.

Question: Can the professor has read/write/append rights to the letter, the student has read/append rights, and others have only read rights? Yes.

The project team did an analysis of the ways resources are being shared in the university, and web applications being used for this. It turned out the web apps didn't support cross-university collaboration groups.

If there are two universities, A and B, each typically serves as an IdP for their own populations and their own web applications that respect that IdP. Some applications are allowed access to the resources of other universities by becoming relying parties to the other IdP. So a student at university B can access certain resources at university A, but only if A's web app can talk to the IdP of B.

So what happens right now is that the Grouper framework is used to manage groups of identities. A cross-university collaboration group could be created at Grouper, and the particular apps that need it are told about the group and how to connect to the Grouper server.

One goal of the project is to eliminate the Grouper entity, and replace it with an UMA authorization manager that works with the Shibboleth higher-ed federation as a repository of policies that govern access.

Another goal is to enhance the eScience system (which stores resources for collaboration with others) to allow it to point to resources "in the cloud" instead. This will allow researchers to use whatever web apps they prefer to create the research but also allow eScience to have access to that research. Today it's sort of like SharePoint :-), where you have to upload files. Through SMART, it will become "just another web app" in the research ecosystem.

The project started about five weeks ago, but they have already got a prototype/demo (shown live in this session and at Tuesday's demo session).

  • You store photos on a particular host site.
  • You tell the site that you want it to use "smartam" for protecting the resources hosted there, but giving it the URL of the AM.
  • You get redirected to smartam and are asked to approve the connection between this host and this AM, in an OAuth 2.0 user delegation flow.
  • Thereafter, on the AM, you can browse around a description of the resources that are now protected at that host.
  • You provide the URL of a protected resource to some requester.
  • The requester has to learn where the AM is and go through an UMA dance to get permission to obtain the resource.
  • For the purposes of the demo so far, the requester is asked to log in at the AM to prove their suitability for access, but the ultimate goal of the project is to have them prove this by means that are not tied to AM authentication/identification.
  • In the case of the second protected resource, it demands that the requester agree (by checking checkmarks) that they are over 18 and agree to the further sharing constraints imposed by the authorizing user.

All the code will be open-sourced, and full documentation will be made available. They want to provide a solid set of UMA libraries.

Question: What about CMS's that use LDAP today? Could this software work as a wrapper? A: It wouldn't be a wrapper, but there is a goal to integrate with LDAP.